Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HJT Log -crazygurl31


  • Please log in to reply

#1
crazygurl31

crazygurl31

    Member

  • Member
  • PipPip
  • 23 posts
Logfile of HijackThis v1.98.2
Scan saved at 1:26:16 PM, on 1/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\cmd64.exe
C:\WINDOWS\system32\xpsp2fw.exe
C:\WINDOWS\System32\tibs3.exe
C:\WINDOWS\system32\dvpilatt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
C:\Program Files\SECRETMAKER\secretmaker.exe
C:\Program Files\WebSiteViewer\125930.dlr
C:\WINDOWS\System32\cidaemon.exe
C:\Documents and Settings\Machelle Nash\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://realsearch.cc/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.seekerbar...spx?tb_id=50154
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://realsearch.cc/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://realsearch.cc/?a=2
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Flash Extender - {95795B67-BBAB-47d0-8A9F-069E8242C0E5} - c:\Program Files\Fen\fen.dll
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\System32\smiehlp.dll
O2 - BHO: (no name) - {C892AB1B-69A6-1171-D71B-33861A397AE6} - C:\WINDOWS\System32\bsgpnir.dll
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [OSS] c:\windows\system32\ossproxy.exe -boot
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [FeCPY] "C:\Program Files\Common Files\Java\fecpy.exe"
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [B0F65D5B] C:\WINDOWS\system32\Aumut.exe
O4 - HKLM\..\Run: [9D7A87E6] C:\WINDOWS\system32\dvpilatt.exe
O4 - HKLM\..\Run: [A7C90F56] C:\WINDOWS\system32\vpsdeomnsol.exe
O4 - HKLM\..\Run: [09FE3E86] C:\WINDOWS\system32\ivedtmg.exe
O4 - HKLM\..\Run: [E8CA39F3] C:\WINDOWS\system32\srvceer.exe
O4 - HKLM\..\Run: [C63AEC4E] C:\WINDOWS\system32\tmvicert.exe
O4 - HKLM\..\Run: [AA5C4246] C:\WINDOWS\system32\pcupac.exe
O4 - HKLM\..\Run: [A5119C73] C:\WINDOWS\system32\tresvpsad.exe
O4 - HKLM\..\Run: [E17AB1F3] C:\WINDOWS\system32\trescat.exe
O4 - HKLM\..\Run: [1D39796E] C:\WINDOWS\system32\pctex.exe
O4 - HKLM\..\Run: [99A1D7F3] C:\WINDOWS\system32\upsx3xmrt.exe
O4 - HKLM\..\Run: [DE5EF4C3] C:\WINDOWS\system32\ivcon.exe
O4 - HKLM\..\Run: [F8A046D3] C:\WINDOWS\system32\ldpkctsapi.exe
O4 - HKLM\..\Run: [ED9655DB] C:\WINDOWS\system32\aamoacc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AEF50446] C:\WINDOWS\system32\clupar.exe
O4 - HKLM\..\Run: [CDBDC806] C:\WINDOWS\system32\rtmMDM.exe
O4 - HKLM\..\Run: [D38EAA86] C:\WINDOWS\system32\dptipobj.exe
O4 - HKLM\..\Run: [8D3E235E] C:\WINDOWS\system32\nvfcry.exe
O4 - HKLM\..\Run: [A0B8230B] C:\WINDOWS\system32\ldatatsr.exe
O4 - HKLM\..\Run: [A39A8373] C:\WINDOWS\system32\o4siwser.exe
O4 - HKLM\..\Run: [83D4F9EB] C:\WINDOWS\system32\QShbken.exe
O4 - HKLM\..\Run: [BBC2BB53] C:\WINDOWS\system32\tclnetc.exe
O4 - HKLM\..\Run: [AEDA867E] C:\WINDOWS\system32\cabrds.exe
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [DI2] "C:\DOCUME~1\MACHEL~1\LOCALS~1\Temp\27.exe\27.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [E8CA39F3] C:\WINDOWS\system32\srvceer.exe
O4 - HKCU\..\Run: [A7C90F56] C:\WINDOWS\system32\vpsdeomnsol.exe
O4 - HKCU\..\Run: [09FE3E86] C:\WINDOWS\system32\ivedtmg.exe
O4 - HKCU\..\Run: [C63AEC4E] C:\WINDOWS\system32\tmvicert.exe
O4 - HKCU\..\Run: [AA5C4246] C:\WINDOWS\system32\pcupac.exe
O4 - HKCU\..\Run: [E17AB1F3] C:\WINDOWS\system32\trescat.exe
O4 - HKCU\..\Run: [A5119C73] C:\WINDOWS\system32\tresvpsad.exe
O4 - HKCU\..\Run: [B0F65D5B] C:\WINDOWS\system32\Aumut.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [1D39796E] C:\WINDOWS\system32\pctex.exe
O4 - HKCU\..\Run: [9D7A87E6] C:\WINDOWS\system32\dvpilatt.exe
O4 - HKCU\..\Run: [99A1D7F3] C:\WINDOWS\system32\upsx3xmrt.exe
O4 - HKCU\..\Run: [DE5EF4C3] C:\WINDOWS\system32\ivcon.exe
O4 - HKCU\..\Run: [F8A046D3] C:\WINDOWS\system32\ldpkctsapi.exe
O4 - HKCU\..\Run: [ED9655DB] C:\WINDOWS\system32\aamoacc.exe
O4 - HKCU\..\Run: [AEF50446] C:\WINDOWS\system32\clupar.exe
O4 - HKCU\..\Run: [CDBDC806] C:\WINDOWS\system32\rtmMDM.exe
O4 - HKCU\..\Run: [D38EAA86] C:\WINDOWS\system32\dptipobj.exe
O4 - HKCU\..\Run: [8D3E235E] C:\WINDOWS\system32\nvfcry.exe
O4 - HKCU\..\Run: [A39A8373] C:\WINDOWS\system32\o4siwser.exe
O4 - HKCU\..\Run: [A0B8230B] C:\WINDOWS\system32\ldatatsr.exe
O4 - HKCU\..\Run: [BBC2BB53] C:\WINDOWS\system32\tclnetc.exe
O4 - HKCU\..\Run: [83D4F9EB] C:\WINDOWS\system32\QShbken.exe
O4 - HKCU\..\Run: [AEDA867E] C:\WINDOWS\system32\cabrds.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: LimeWire 4.2.6.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103947677500
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab27513.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v6.cab

NE help will be appreciated. Thanx.
  • 0

Advertisements


#2
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Please download "Del Domain" from here:

http://www.geekstogo...=download&id=40

Download it to your desktop or somewhere you will find it. Extract the .inf file from the .zip file you just downloaded. Now right click "Deldomains.inf" and click "Install". It will not appear to have done anything, thats ok. Next step.

You may wish to print out a copy of these instructions to follow while you complete this procedure. Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://realsearch.cc/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.seekerbar...spx?tb_id=50154
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://realsearch.cc/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://realsearch.cc/?a=2
O2 - BHO: Flash Extender - {95795B67-BBAB-47d0-8A9F-069E8242C0E5} - c:\Program Files\Fen\fen.dll
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\System32\smiehlp.dll
O2 - BHO: (no name) - {C892AB1B-69A6-1171-D71B-33861A397AE6} - C:\WINDOWS\System32\bsgpnir.dll

O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [B0F65D5B] C:\WINDOWS\system32\Aumut.exe
O4 - HKLM\..\Run: [9D7A87E6] C:\WINDOWS\system32\dvpilatt.exe
O4 - HKLM\..\Run: [A7C90F56] C:\WINDOWS\system32\vpsdeomnsol.exe
O4 - HKLM\..\Run: [09FE3E86] C:\WINDOWS\system32\ivedtmg.exe
O4 - HKLM\..\Run: [E8CA39F3] C:\WINDOWS\system32\srvceer.exe
O4 - HKLM\..\Run: [C63AEC4E] C:\WINDOWS\system32\tmvicert.exe
O4 - HKLM\..\Run: [AA5C4246] C:\WINDOWS\system32\pcupac.exe
O4 - HKLM\..\Run: [A5119C73] C:\WINDOWS\system32\tresvpsad.exe
O4 - HKLM\..\Run: [E17AB1F3] C:\WINDOWS\system32\trescat.exe
O4 - HKLM\..\Run: [1D39796E] C:\WINDOWS\system32\pctex.exe
O4 - HKLM\..\Run: [99A1D7F3] C:\WINDOWS\system32\upsx3xmrt.exe
O4 - HKLM\..\Run: [DE5EF4C3] C:\WINDOWS\system32\ivcon.exe
O4 - HKLM\..\Run: [F8A046D3] C:\WINDOWS\system32\ldpkctsapi.exe
O4 - HKLM\..\Run: [ED9655DB] C:\WINDOWS\system32\aamoacc.exe

O4 - HKLM\..\Run: [AEF50446] C:\WINDOWS\system32\clupar.exe
O4 - HKLM\..\Run: [CDBDC806] C:\WINDOWS\system32\rtmMDM.exe
O4 - HKLM\..\Run: [D38EAA86] C:\WINDOWS\system32\dptipobj.exe
O4 - HKLM\..\Run: [8D3E235E] C:\WINDOWS\system32\nvfcry.exe
O4 - HKLM\..\Run: [A0B8230B] C:\WINDOWS\system32\ldatatsr.exe
O4 - HKLM\..\Run: [A39A8373] C:\WINDOWS\system32\o4siwser.exe
O4 - HKLM\..\Run: [83D4F9EB] C:\WINDOWS\system32\QShbken.exe
O4 - HKLM\..\Run: [BBC2BB53] C:\WINDOWS\system32\tclnetc.exe
O4 - HKLM\..\Run: [AEDA867E] C:\WINDOWS\system32\cabrds.exe
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [DI2] "C:\DOCUME~1\MACHEL~1\LOCALS~1\Temp\27.exe\27.exe"

O4 - HKCU\..\Run: [E8CA39F3] C:\WINDOWS\system32\srvceer.exe
O4 - HKCU\..\Run: [A7C90F56] C:\WINDOWS\system32\vpsdeomnsol.exe
O4 - HKCU\..\Run: [09FE3E86] C:\WINDOWS\system32\ivedtmg.exe
O4 - HKCU\..\Run: [C63AEC4E] C:\WINDOWS\system32\tmvicert.exe
O4 - HKCU\..\Run: [AA5C4246] C:\WINDOWS\system32\pcupac.exe
O4 - HKCU\..\Run: [E17AB1F3] C:\WINDOWS\system32\trescat.exe
O4 - HKCU\..\Run: [A5119C73] C:\WINDOWS\system32\tresvpsad.exe
O4 - HKCU\..\Run: [B0F65D5B] C:\WINDOWS\system32\Aumut.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [1D39796E] C:\WINDOWS\system32\pctex.exe
O4 - HKCU\..\Run: [9D7A87E6] C:\WINDOWS\system32\dvpilatt.exe
O4 - HKCU\..\Run: [99A1D7F3] C:\WINDOWS\system32\upsx3xmrt.exe
O4 - HKCU\..\Run: [DE5EF4C3] C:\WINDOWS\system32\ivcon.exe
O4 - HKCU\..\Run: [F8A046D3] C:\WINDOWS\system32\ldpkctsapi.exe
O4 - HKCU\..\Run: [ED9655DB] C:\WINDOWS\system32\aamoacc.exe
O4 - HKCU\..\Run: [AEF50446] C:\WINDOWS\system32\clupar.exe
O4 - HKCU\..\Run: [CDBDC806] C:\WINDOWS\system32\rtmMDM.exe
O4 - HKCU\..\Run: [D38EAA86] C:\WINDOWS\system32\dptipobj.exe
O4 - HKCU\..\Run: [8D3E235E] C:\WINDOWS\system32\nvfcry.exe
O4 - HKCU\..\Run: [A39A8373] C:\WINDOWS\system32\o4siwser.exe
O4 - HKCU\..\Run: [A0B8230B] C:\WINDOWS\system32\ldatatsr.exe
O4 - HKCU\..\Run: [BBC2BB53] C:\WINDOWS\system32\tclnetc.exe
O4 - HKCU\..\Run: [83D4F9EB] C:\WINDOWS\system32\QShbken.exe
O4 - HKCU\..\Run: [AEDA867E] C:\WINDOWS\system32\cabrds.exe

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu). Be sure you're able to view hidden files, and remove the following files (if found):

C:\WINDOWS\system32\wuclient.exe
C:\WINDOWS\system32\xpsp2fw.exe <<<Try to delete these 2 first.

C:\WINDOWS\System32\bsgpnir.dll
c:\Program Files\Fen
C:\WINDOWS\System32\smiehlp.dll
C:\WINDOWS\System32\tibs3.exe
C:\WINDOWS\system32\Aumut.exe
C:\WINDOWS\system32\dvpilatt.exe
C:\WINDOWS\system32\vpsdeomnsol.exe
C:\WINDOWS\system32\ivedtmg.exe
C:\WINDOWS\system32\srvceer.exe
C:\WINDOWS\system32\tmvicert.exe
C:\WINDOWS\system32\pcupac.exe
C:\WINDOWS\system32\tresvpsad.exe
C:\WINDOWS\system32\trescat.exe
C:\WINDOWS\system32\pctex.exe
C:\WINDOWS\system32\upsx3xmrt.exe
C:\WINDOWS\system32\ivcon.exe
C:\WINDOWS\system32\ldpkctsapi.exe
C:\WINDOWS\system32\aamoacc.exe

C:\WINDOWS\system32\clupar.exe
C:\WINDOWS\system32\rtmMDM.exe
C:\WINDOWS\system32\dptipobj.exe
C:\WINDOWS\system32\nvfcry.exe
C:\WINDOWS\system32\ldatatsr.exe
C:\WINDOWS\system32\o4siwser.exe
C:\WINDOWS\system32\QShbken.exe
C:\WINDOWS\system32\tclnetc.exe
C:\WINDOWS\system32\cabrds.exe
C:\Program Files\Bpt
C:\DOCUME~1\MACHEL~1\LOCALS~1\Temp\27.exe
C:\WINDOWS\system32\srvceer.exe
C:\WINDOWS\system32\vpsdeomnsol.exe
C:\WINDOWS\system32\ivedtmg.exe
C:\WINDOWS\system32\tmvicert.exe
C:\WINDOWS\system32\pcupac.exe
C:\WINDOWS\system32\trescat.exe
C:\WINDOWS\system32\tresvpsad.exe
C:\WINDOWS\system32\Aumut.exe

C:\WINDOWS\system32\pctex.exe
C:\WINDOWS\system32\dvpilatt.exe
C:\WINDOWS\system32\upsx3xmrt.exe
C:\WINDOWS\system32\ivcon.exe
C:\WINDOWS\system32\ldpkctsapi.exe
C:\WINDOWS\system32\aamoacc.exe
C:\WINDOWS\system32\clupar.exe
C:\WINDOWS\system32\rtmMDM.exe
C:\WINDOWS\system32\dptipobj.exe
C:\WINDOWS\system32\nvfcry.exe
C:\WINDOWS\system32\o4siwser.exe
C:\WINDOWS\system32\ldatatsr.exe
C:\WINDOWS\system32\tclnetc.exe
C:\WINDOWS\system32\QShbken.exe
C:\WINDOWS\system32\cabrds.exe

Reboot normally and post a new log.

-=jonnyrotten=- :tazz:
  • 0

#3
crazygurl31

crazygurl31

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I did all the step and heres whats left:

Logfile of HijackThis v1.98.2
Scan saved at 8:37:34 PM, on 1/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cmd64.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\WebSiteViewer\125930.dlr
C:\Documents and Settings\Machelle Nash\Desktop\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll (file missing)
O2 - BHO: Flash Extender - {95795B67-BBAB-47d0-8A9F-069E8242C0E5} - c:\Program Files\Fen\fen.dll
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [OSS] c:\windows\system32\ossproxy.exe -boot
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [FeCPY] "C:\Program Files\Common Files\Java\fecpy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: LimeWire 4.2.6.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103947677500
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab27513.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v6.cab

Thanx again jonnyrotten! :tazz:
  • 0

#4
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Remove these ones with Hijack This too:

O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll (file missing)
O2 - BHO: Flash Extender - {95795B67-BBAB-47d0-8A9F-069E8242C0E5} - c:\Program Files\Fen\fen.dll
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd64.exe internat.dll,LoadKeyboardProfile

You Have a CoolWebSearch Infection.
Please Download CoolWebShredder, from http://www.geekstogo...=download&id=17 , Extract it, run the program, and update it. Click the Next Button & let it scan. Make sure you let it fix all CWS Remnants. Afterwards, Please Post a fresh Hijack This log.

Reboot into safe mode and delete the following files:

C:\WINDOWS\System32\cmd64.exe

Reboot normally and post a new log.

-=jonnyrotten=- :tazz:
  • 0

#5
crazygurl31

crazygurl31

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I ran Hijackthis again but there are some things on the log that I didn't see when I scan the log. Am I going crazy? Heres the log:
Logfile of HijackThis v1.98.2
Scan saved at 11:06:53 PM, on 1/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Machelle Nash\Desktop\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [FeCPY] "C:\Program Files\Common Files\Java\fecpy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: LimeWire 4.2.6.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103947677500
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab27513.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v6.cab
  • 0

#6
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Nope you're not going crazy. You ran Hijack This in Safe Mode. It looks clean, but post another one from normal mode.

Run these first though :tazz:

Spybot Search & Destroy Download and install. Start Spybot S&D, Click the Search for updates button, if any are found then click the Download Updates button. After all updates are downloaded, click the Check for problems button. When the scan is complete, place a check next to anything marked in red, then click the Fix selected problems button. You may need to run Spybot S&D multiple times to remove all infections.

Download Ad-aware from: http://www.geekstogo...n=download&id=5

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

-> Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL’s
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives
-> Click on the Advanced button on the left and select:
  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details
-> Click the Tweak button and select:
  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile
  • Under the Cleaning Engine:
    • Let Windows remove files in use at next reboot
-> Click on Proceed to save the settings.

-> Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
  • Use Custom Scanning Options
-> Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

-> Save the log file when it asks and then click Finish

-> When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

-> Reboot your computer.

If you would please, rescan with HijackThis and post a fresh log in this same topic.

-=jonnyrotten=- ;)
  • 0

#7
crazygurl31

crazygurl31

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
THANK YOU SO MUCH 4 ALL YOUR HELP! All I need to know now is how 2 this from happening again. Once again, Thanks a million! :tazz:
  • 0

#8
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Congratulations! Your system is CLEAN :tazz:

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox Posted Image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. ;)

Also visit my website at the link in my signature, you will find some good information there.

-=jonnyrotten=- :thumbsup:
  • 0

#9
crazygurl31

crazygurl31

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
It's back again & I'm to repeat all the steps but I still have 1 problem. When I try to download any Windows updates, I get page saying that an error has occured & the page cannot be displayed. I haven't had an update in about 7 mos. I tried online support w/Microsoft but that was just a dead end. What should I do? :tazz:
  • 0

#10
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Let's see a fresh HijackThis log. :tazz:

Be sure you're not in safe mode, and enable any items that may have been disabled at startup (like by MSConfig).
  • 0

#11
crazygurl31

crazygurl31

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I followed all of the steps above again and here's the results:

Logfile of HijackThis v1.98.2
Scan saved at 3:23:16 AM, on 1/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\System32\lexpps.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Machelle Nash\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start.earthlink.net
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103947677500
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab27513.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v6.cab
O21 - SSODL: Ad-Aware SE Personal - {A661DFE3-037D-27AE-3238-4AD16137DC73} - C:\PROGRA~1\Lavasoft\Ad-Aware SE Personal(2).dll

:tazz:
  • 0

#12
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts

When I try to download any Windows updates, I get page saying that an error has occurred & the page cannot be displayed.

Can you reply with the exact error message? Are the time and date set correctly on your computer?

Please download HiJackThis 1.99 and see if you're able to post a log:
http://www.geekstogo...n=download&id=3
  • 0

#13
crazygurl31

crazygurl31

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
My date and time are correct and the message says "Windows Update has encountered an error and cannot display the requested page. Error number 0x800B0001". New log:

Logfile of HijackThis v1.99.0
Scan saved at 2:22:10 PM, on 1/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\System32\lexpps.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Machelle Nash\Desktop\Hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start.earthlink.net
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103947677500
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab27513.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v6.cab
O21 - SSODL: Ad-Aware SE Personal - {A661DFE3-037D-27AE-3238-4AD16137DC73} - C:\PROGRA~1\Lavasoft\Ad-Aware SE Personal(2).dll
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Windows User Mode Driver Framework - Unknown - C:\WINDOWS\System32\wdfmgr.exe (file missing)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP